[00:01.440 --> 00:05.990]  Hi, my name is Per Thorsen and I am the founder of Passwords.com.
[00:06.190 --> 00:10.330]  I'm really happy to be speaking once again at the Crypto & Privacy Village here,
[00:10.330 --> 00:14.950]  this time at the DEF CON Safe Mode 2020 edition.
[00:15.750 --> 00:23.310]  My talk is entitled Hacking Like Paris Hilton 14 Years Later and Still Winning.
[00:23.630 --> 00:30.290]  And this is a talk that has been in the making for quite a few years
[00:30.290 --> 00:36.410]  by me now. So I'm really, really happy to sort of tell the entire story on this one.
[00:36.470 --> 00:44.110]  First, a very quick introduction of myself. Here you have a tweet a couple of years ago when I
[00:44.110 --> 00:49.090]  said that I do have a certain interest in passwords and Cormac Hurley at Microsoft Research,
[00:49.090 --> 00:55.250]  he responds back saying that, confirm I have a healthy curiosity while Thorsen is pathologically
[00:55.250 --> 01:01.670]  obsessed with passwords and, well, digital authentication. So that's basically me in a
[01:01.670 --> 01:09.650]  nutshell. Now, I do say this because for this talk it's important for me to provide a bit of
[01:09.650 --> 01:15.110]  background and context to the stuff that I'm going to talk about. I'm going to talk about
[01:15.110 --> 01:21.110]  essentially two topics, hijacking of mobile phones in different ways and also voicemail hacking,
[01:21.110 --> 01:27.930]  getting access to your or somebody else's voicemail with the provider in question that
[01:27.930 --> 01:34.190]  you are using. And why am I talking about this? Well, my interest is in passwords and digital
[01:34.190 --> 01:41.070]  authentication. And in some cases, we have stuff like two-factor authentication, which is, you know,
[01:41.070 --> 01:46.310]  everybody is talking about now, you should be using two-factor authentication. I agree.
[01:46.310 --> 01:54.170]  But in a lot of cases, people are using their mobile phones to do exactly this. In fact,
[01:54.650 --> 01:58.510]  you know, you are using two-factor authentication using text messages,
[01:58.510 --> 02:04.930]  maybe email, which more and more people are probably using on their phones or iPads anyway.
[02:05.290 --> 02:12.010]  There can be also voice-based SMS two-factor authentication. You have in-app push messages,
[02:12.010 --> 02:17.930]  you have TOTP authenticator apps, Google Authenticator is probably the most common one.
[02:17.930 --> 02:23.070]  And of course, maybe you're using WebAuthn as well, either through a hardware key or maybe
[02:23.070 --> 02:30.550]  you have it integrated in your operating system like Android has today. And
[02:32.370 --> 02:38.280]  if I want to hack into your account somewhere and you are using two-factor authentication,
[02:38.920 --> 02:45.680]  two-factor authentication, well, it doesn't actually block me from hacking your account.
[02:45.680 --> 02:52.220]  It makes it more difficult. But the only thing that is certain in life are death and taxes and
[02:52.220 --> 03:00.060]  everything else can be hacked and probably will be sooner or later. So mobile hijacking,
[03:00.060 --> 03:05.040]  something that came up to me many, many years ago when we saw sort of like
[03:05.800 --> 03:12.640]  two-factor authentication by SMS coming in as a thing that some were using. And I got curious,
[03:12.640 --> 03:17.840]  well, how can I bypass this? How can I hack it? And so on.
[03:18.880 --> 03:25.780]  So seven years ago, actually, the Norwegian Government Agency for Financial Supervision
[03:25.780 --> 03:33.280]  and Regulation, they issued their annual report about the financial market in Norway with lots
[03:33.280 --> 03:40.220]  of interesting information to some nerds, including losses due to like skimming,
[03:40.220 --> 03:49.140]  fiscal card skimming, and also online banking attacks as an example. And they said, and this
[03:49.140 --> 03:58.440]  is 2013, they did say that they were expecting a rapid increase in mobile hacking. And they said
[03:58.440 --> 04:04.400]  that they were cautious and they were concerned about the fact that people were starting to have
[04:04.400 --> 04:12.700]  their entire digital life, including banks, including passport information, your money,
[04:12.700 --> 04:20.160]  and your digital life on your phone, and you would be carrying your phone with you all the time.
[04:21.100 --> 04:27.220]  And it was, you know, I'm sort of willing to say that they were basically ahead of their time,
[04:27.220 --> 04:34.560]  at least for Norway, where I live, because did we see any, you know, sudden increase in mobile
[04:34.560 --> 04:41.700]  hacking in 2013? Not really. And it also depends on what kind of mobile hacking are we talking
[04:41.700 --> 04:48.620]  about. Now, here's a typical example that you have probably seen. Now, the message here is a
[04:48.620 --> 04:55.740]  text message received in Norwegian. And the simple translation is, you know, we could not invoice
[04:55.740 --> 04:59.900]  your membership for this month. Try again or update your payment details in order to continue
[04:59.900 --> 05:05.280]  watching Netflix. And there's a totally legit link down below that you're supposed to click.
[05:05.800 --> 05:09.660]  Now, I was actually sitting on my couch in my living room and watching Netflix
[05:10.800 --> 05:18.580]  with a woman next to me on a Saturday evening. And, you know, we had turned down the... but I
[05:18.580 --> 05:22.460]  had turned down the lights and we had some... we had some chips and we had some food and we,
[05:22.460 --> 05:28.160]  you know, enjoying a good movie. And then suddenly it says ping in her phone. And politely,
[05:28.160 --> 05:32.600]  of course, I stop Netflix and I look away. And she's typing and she's typing and she's typing
[05:32.600 --> 05:38.520]  even more on her phone. And I'm, well, I'm sort of getting curious about, you know, what happened now.
[05:38.860 --> 05:47.040]  And then she suddenly asks me, is it common that Netflix asks for your social security number?
[05:47.300 --> 05:51.920]  And that's the moment when I turn on the lights and turn off the TV and said,
[05:51.920 --> 05:57.940]  hey, love's gotta wait. We do have a security problem at hand. Give me your phone.
[05:59.040 --> 06:04.500]  And I got it. And this is, this is the text message that I saw on screen. And I say, well,
[06:04.500 --> 06:10.280]  you have probably already given away your username and your password. So now we have to change that
[06:10.280 --> 06:17.040]  for Netflix. Simple scam. A lot of people, lots of people fall victim to this one. But it's the
[06:17.040 --> 06:25.940]  big thing. Well, monetary wise, I don't know. Is it a threat to society? No, not really.
[06:27.000 --> 06:32.040]  But we have also had other and more, should I say, interesting cases in here in Norway.
[06:32.040 --> 06:40.720]  As an example, we had a minister in the government who actually went on a holiday trip to Iran with
[06:40.720 --> 06:46.400]  his new Iranian girlfriend. And when you are a minister, you know, you should be sort of careful
[06:46.400 --> 06:53.120]  of that, at least in the current political climate. And he did travel and he did not tell
[06:53.120 --> 06:58.800]  the secret police. He didn't tell any intelligence services or lifeguards. He didn't tell the prime
[06:58.800 --> 07:05.900]  minister or anyone else. He just went for it. And that's a big no-no. And when he came back,
[07:05.900 --> 07:11.680]  back, one of the statements that he issued was pretty amazing. He said that, you know,
[07:11.680 --> 07:16.980]  he had been, you know, traveling before. He knew his stuff when it comes to security.
[07:16.980 --> 07:23.720]  So he said that his phone was secure because most of the time it was turned off and was just
[07:23.720 --> 07:32.420]  left in the hotel room in Iran. Now, this and a lot more about, you know, this person and in this
[07:32.420 --> 07:41.990]  case led to the simple fact he was forced to resign from his position. Now, for mobile hijacking,
[07:41.990 --> 07:47.510]  I will be talking about port-out attacks, which I have chosen to call them, and to differentiate
[07:47.510 --> 07:53.970]  that a little bit from sim-swap attacks. And I will also talk about spoofing, the sort of the
[07:53.970 --> 07:59.190]  thing of, you know, what can you do when you are trying to pretend to be somebody else,
[07:59.190 --> 08:06.110]  or if you actually succeed in becoming somebody else. There is also traditional fraud involved
[08:06.110 --> 08:12.170]  in mobile hijacking as something as simple as having an insider issuing a sim card for you
[08:12.170 --> 08:16.030]  in the wrong name and so on. I will not be talking about that.
[08:17.870 --> 08:24.110]  Port-out attacks are the simple process of transferring a phone number to another operator.
[08:24.110 --> 08:28.810]  That is one of the things you can do in Norway. You don't have to change your number,
[08:28.810 --> 08:34.930]  you can transfer it freely to any operator you want to. And when I started working for
[08:34.930 --> 08:43.490]  my current employer three years ago, I came to, you know, for my first workday on August 1st,
[08:43.490 --> 08:50.890]  and I have been a customer of one telecom provider, Telenor, since basically the dawn of time,
[08:50.890 --> 08:56.490]  more or less. And my employer said, you know, just give us your name and your phone number,
[08:56.490 --> 09:01.950]  and, you know, we'll take care of porting it to the new provider that we are using,
[09:01.950 --> 09:08.730]  we will be paying for your phone subscription, period. And I was like, you just need my
[09:08.730 --> 09:15.070]  name and my phone number? Yeah, that's it. So I said, well, it's Peter Horsheim,
[09:15.070 --> 09:21.030]  and my phone number is da-da-da-da-da. And by the way, phone numbers are by default public
[09:22.030 --> 09:28.950]  available to anyone in Norway, unless you specifically say, I do not want my number listed,
[09:28.950 --> 09:33.750]  or eventually also I want a secret phone number, there's a difference there.
[09:36.650 --> 09:45.610]  And my employer just sent an email to their telco saying that we want to transfer the
[09:45.610 --> 09:50.130]  subscription for Pears phone, current phone, this is the name, this is the phone number,
[09:50.130 --> 09:57.170]  and we want to port that out and over to your service, and we want it done as soon as possible,
[09:57.170 --> 10:03.730]  by email. And I got handed a new SIM card and envelope at work, and then I was told that,
[10:03.730 --> 10:11.490]  and this was on a Tuesday, and I was told that the port out will happen on Friday, midday noon.
[10:12.470 --> 10:17.990]  The porting actually happened on Thursday, 124 hours before it was supposed to happen,
[10:17.990 --> 10:24.630]  it happened at 12 o'clock. So suddenly my phone stopped working, and I had to take out the
[10:25.170 --> 10:30.610]  current SIM card and insert a new card from the new provider I had been given at work.
[10:30.610 --> 10:37.710]  And this means that there was a time window of approximately 48 hours, maybe even less,
[10:37.710 --> 10:44.950]  where I would have to sort of detect that something is wrong, understand what is actually
[10:44.950 --> 10:51.510]  happening right now, and then act before it would be too late. And not only that,
[10:51.510 --> 10:58.710]  I have also been told, without being told the exact time frames, I have been told that
[10:58.710 --> 11:05.450]  you can ask these telecom operators as well to do a very quick port of your number,
[11:05.450 --> 11:09.510]  and then it will probably happen in a few hours.
[11:11.670 --> 11:18.450]  And not only was this process going faster than expected, it happened in 48 hours or less,
[11:18.450 --> 11:24.810]  but for me to be able to understand, you know, if somebody initiated that without asking me or
[11:24.810 --> 11:31.270]  telling me at all, these are the two text messages that I would have to understand
[11:31.810 --> 11:37.850]  and react upon before it was too late. The first text message came from my current provider,
[11:37.850 --> 11:42.190]  which was Telenor. In Norwegian it says, you know, thank you for being a customer with us,
[11:42.190 --> 11:49.070]  sorry to see you go, and here's a questionnaire with an HTTP link, unencrypted link, where they
[11:49.070 --> 11:54.470]  just want to ask me a single question about, you know, why did I leave or would I like to come back
[11:54.470 --> 12:03.070]  again. And from my new phone provider, selected by my employer, I also got a text message.
[12:03.090 --> 12:09.410]  Interesting fact number one, the sender number is an invalid phone number, it's not possible
[12:09.410 --> 12:16.190]  to respond back to the number 470-5050, as you can see on the slide. And it says,
[12:16.190 --> 12:21.110]  welcome to Telia, which is the name of the operator, and your phone number is now transferred
[12:21.110 --> 12:26.790]  to us, have a nice day, best regards, Telia. That's it. And I'm just imagining my own mother
[12:26.790 --> 12:33.490]  receiving these two text messages, and I am very certain that she would not really understand
[12:33.490 --> 12:40.050]  what's happening here. And I'm not sure if she would actually call either of these two operators
[12:40.690 --> 12:51.590]  in time to understand what just happened. And one of the things that I did as part of this,
[12:51.590 --> 12:56.950]  because I've been working for several years looking into, you know, this issue of sort of
[12:56.950 --> 13:05.890]  like being able to hijack somebody's phone number through social engineering and so on,
[13:05.890 --> 13:11.370]  and I talked to the largest financial newspaper in Norway, dug a snag sleeve about this when I
[13:11.370 --> 13:20.110]  was sort of ready and said, I have some theories, I have some facts, but I need to be careful not to
[13:20.110 --> 13:26.870]  step over, you know, the red line on what is legal and what is illegal to do. But you are a newspaper,
[13:26.870 --> 13:33.570]  so you can sort of defend doing things that might be considered shady, because you are sort of
[13:33.570 --> 13:39.150]  working for the public and you should look into this. So they did. And they actually made an
[13:39.150 --> 13:44.430]  agreement with one of the most famous bloggers that we have in Norway, Sofie Elisa, and they
[13:44.430 --> 13:49.950]  asked her, would it be okay for us to try to sort of hijack your phone number? And she agreed to
[13:49.950 --> 13:55.850]  that. And the newspaper actually has a video online that you can watch for free. It's like
[13:55.850 --> 14:03.210]  three minutes long, where a female reporter from the newspaper that looks nothing like this blogger
[14:03.570 --> 14:12.970]  she goes out on the street to a couple of sales people from a phone company, and she hands over
[14:13.390 --> 14:19.270]  a business card that is fake. Obviously, she printed it on her own printer. And she says,
[14:19.270 --> 14:27.290]  I'm Sofie Elisa and I would like to port my number over to you. And with the fake business card only,
[14:27.290 --> 14:33.910]  they accept that as a valid ID and initiates the process. And the newspaper and of course,
[14:33.910 --> 14:40.210]  Sofie Elisa, they were shocked that, is it that easy? You know, you can affect business cards
[14:40.210 --> 14:47.550]  really. This was scary and was scary to me, was scary to the newspaper. It was very scary to
[14:47.550 --> 14:56.210]  everyone to be precise. Now for SimSwap, I know that SimSwap is the standard term to use,
[14:56.210 --> 15:01.630]  especially in the US on these things. And I wanted to make a difference between what I call
[15:01.630 --> 15:08.230]  mobile hijacking and SimSwap attacks or port out and SimSwap attacks here. SimSwap to me is the
[15:08.230 --> 15:15.990]  same as in the US, you will get new SIM cards for a specific subscription for a specific phone
[15:15.990 --> 15:21.090]  number. I don't know if you can do this in the US. I don't know if you can do this in Sweden or
[15:21.090 --> 15:26.830]  for that matter. But at least in Norway, as part of your current service with your phone company,
[15:26.830 --> 15:31.910]  you can get the new SIM card and you don't need any sort of valid reason. You can just say,
[15:31.910 --> 15:37.210]  I want a new SIM card and you will get one. You can also get the twin SIM card. So you can have
[15:37.210 --> 15:43.570]  two phones that are essentially the same. So if somebody calls you, it will ring in both phones.
[15:43.730 --> 15:49.450]  And you can also get a data SIM card that, you know, given the name, you can not use it for
[15:49.450 --> 15:56.070]  making or accepting phone calls in or out, but you can use it for data traffic only. And you can
[15:56.070 --> 16:02.750]  get a specific data SIM card for your existing service subscription with all the operators,
[16:02.750 --> 16:12.510]  to the best of my knowledge. And the same thing applies here. Fake ID will probably get you one
[16:12.510 --> 16:19.010]  of these SIM cards that will also, given the circumstances, you will also be able to do sort
[16:19.010 --> 16:26.210]  of full or at least limited sort of surveillance of whatever victim you are targeting.
[16:27.970 --> 16:35.550]  So it became very obvious to us that we have a problem with identifying people. And we also
[16:35.550 --> 16:40.910]  have a problem in a business to business relationship and in general with authorization.
[16:41.410 --> 16:49.350]  If you are not ordering or changing a phone subscription for yourself, but for somebody else,
[16:49.350 --> 16:55.950]  how do we identify and how do we find out whether you're authorized to make those changes on behalf
[16:55.950 --> 17:03.090]  of another person? Obviously, there was a problem with this. One of the revelations made by the
[17:03.090 --> 17:12.290]  newspaper was that the telecom operator Telia, which is working out of many different countries,
[17:12.290 --> 17:23.310]  it's home base is in Sweden. They found out that in Sweden, the government requires Telia to ask
[17:23.310 --> 17:30.830]  for proper ID when you are setting up, terminating or changing or moving a phone subscription,
[17:31.470 --> 17:37.290]  like passport or something, digital ID, which is government approved.
[17:37.970 --> 17:43.590]  Now, Telia also operates in Norway, and we also have digital identities in Norway called Bank ID.
[17:44.190 --> 17:51.910]  And in Sweden, they are using Bank ID to identify their customers. So it was a pretty easy question.
[17:51.910 --> 17:58.210]  Are you using Bank ID or something similar in Norway as well? And Telia, they responded,
[17:58.210 --> 18:05.570]  no, we don't do that. And when the question came up, why don't you do that? The answer to the
[18:05.570 --> 18:13.290]  question was saying that we do as we are required to do by the government in Norway. And the answer
[18:13.290 --> 18:21.370]  to that, again, is the government in Norway didn't require the telephone operators to ask for any
[18:21.370 --> 18:29.130]  kind of solid ID, being it on paper, like passport or driver's license, or a digital version of a
[18:29.130 --> 18:37.890]  digital ID. Again, a big surprise. So I looked to the Federal Trade Commission in the US, more
[18:37.890 --> 18:44.890]  specifically to Lori Cranor, who is normally a professor at Carnegie Mellon University, and she
[18:44.890 --> 18:50.230]  wrote several articles on the Federal Trade Commission website. One where she talks about
[18:50.230 --> 18:56.710]  how she got her phone hijacked through a SimSwap attack. It's an interesting article, it's definitely
[18:56.710 --> 19:02.310]  worth reading. And one of the things she did was to ask all the major mobile carriers in the US
[19:02.310 --> 19:09.050]  what consumers could do to protect themselves from a mobile account takeover. One of the most
[19:09.050 --> 19:13.950]  important steps you can take is to establish a password or PIN that is required before making
[19:13.950 --> 19:20.190]  changes to your mobile account. Each of the carriers offers this feature to the customers
[19:20.190 --> 19:28.390]  in a slightly different way. And this was sort of good, I mean, social engineering, PIN guessing, and
[19:28.390 --> 19:34.910]  so on, can probably still get past this, but at least it's one more speed bump for the bad actors
[19:34.910 --> 19:41.990]  to try to hijack your number and do a SimSwap attack. But interestingly, none of the providers
[19:41.990 --> 19:49.630]  in Norway had any feature like this at all in place. And to the best of my knowledge, they are
[19:49.630 --> 19:57.570]  still working on figuring out how to do this in Norway. So as a result of this, or one of many
[19:57.570 --> 20:04.210]  results out of this process, which, you know, culminated in the spring of 2019, that means last
[20:04.210 --> 20:11.470]  year, is our Minister of Digitalization at the time, Nikolai Astrup, he instructed the Norwegian
[20:11.470 --> 20:18.410]  Communications Authority, NKOM, to implement security functions in order to prevent mobile hijacking
[20:19.110 --> 20:28.210]  in cooperation with the telecom sector. That is a pretty serious move to do when you instruct them
[20:28.210 --> 20:37.770]  to work on this immediately. And not only that, but also in September 2019, the government
[20:37.770 --> 20:47.170]  also released a hearing named Actions to Prevent Mobile Hijacking, as a direct consequence of the
[20:47.170 --> 20:54.790]  stories made by Dagens Næringsliv and by me earlier in the spring. This came out and there
[20:54.790 --> 21:01.430]  was a hearing process until December 2019, where, you know, everybody, government organizations and
[21:01.430 --> 21:07.750]  private people, could then give their input on the proposal for changing changes to the existing
[21:07.750 --> 21:15.510]  law. Now, this hasn't passed into law yet, but we are sort of waiting for the results from the
[21:15.510 --> 21:24.630]  hearings to see what's going to happen next. And also, while working with this on my own, and
[21:24.630 --> 21:30.630]  together with Dagens Næringsliv, I was not aware that a news website for the IT and security
[21:30.630 --> 21:36.970]  industry in Denmark, were also looking into the same thing, more or less, in Denmark with
[21:36.970 --> 21:44.690]  different providers. Simply, social engineering into stores selling SIM cards, making replacement
[21:44.690 --> 21:54.670]  SIM cards, and so on. And they succeeded many, many times. And, you know, they posted this article,
[21:54.670 --> 22:01.070]  among many others, saying that after multiple failures, telcos are actually considering to
[22:01.070 --> 22:10.750]  completely stop handing out SIM cards in physical stores. Now, Norway is next to Sweden, next to
[22:10.750 --> 22:16.710]  Denmark, and next to Finland. They are neighbours. And we are very much alike in society, in law,
[22:16.710 --> 22:23.870]  in language, and so on. But one of the things that has been fascinating to me is to see the
[22:23.870 --> 22:31.990]  different reactions from the telcos, from newspapers, from, you know, normal people like
[22:31.990 --> 22:37.610]  you and me on the streets, and from politicians, on how they have reacted to these stories in the
[22:37.610 --> 22:45.950]  media. Because stopping completely to hand out SIM cards in physical stores, haven't even been
[22:45.950 --> 22:54.650]  mentioned by anyone in Norway or in Sweden at all. But it is pretty much the same operators
[22:55.310 --> 22:59.350]  working in these three countries. So it's kind of like,
[22:59.350 --> 23:05.030]  are you people not even talking to each other internally in the same company? Or what is
[23:05.030 --> 23:14.650]  happening here? So to sort of more better and better exemplify the problem of spoofing,
[23:14.650 --> 23:22.510]  I say, what if I could be you as a bad actor? Now, this is Crypto and Privacy Village. You know,
[23:22.510 --> 23:30.290]  we have had lots of talks on this. You are most probably watching EFF closely. You are watching
[23:30.290 --> 23:36.110]  what is happening in your country right now in terms of privacy. It doesn't look good in quite
[23:36.250 --> 23:43.050]  a few places all over the world. Now, in Norway, we do consider ourselves, you know, a very safe,
[23:43.050 --> 23:51.690]  solid, democratic country with a government that, you know, well, we trust our government,
[23:51.690 --> 23:59.830]  believe it or not. But still, there are cases where things are happening. Now, this one is an
[23:59.830 --> 24:09.810]  article or series of articles that were released in the fall of 2019, Chasing Max. And this is about
[24:09.970 --> 24:15.850]  a guy that has been caught by the police. And he is charged for hacking the accounts of
[24:15.850 --> 24:25.890]  approximately 50 different random women around the country, extracting pictures, videos, contact
[24:25.890 --> 24:32.870]  details, harvesting usernames and passwords, gaining access to Instagram, Facebook, and so on.
[24:32.870 --> 24:41.550]  50 women randomly all over Norway. And the newspaper told us a story about Nina.
[24:42.470 --> 24:49.430]  Nina was smart. Nina was using two-factor authentication, SMS-based two-factor
[24:49.430 --> 24:58.170]  authentication for her phone account, for Facebook, for Google, for Apple, and so on.
[24:58.170 --> 25:06.630]  And she woke up one morning with a picture like this, where she had received authorization codes
[25:06.630 --> 25:13.070]  from different services, like Microsoft, like Google, like Apple, in order to do a password
[25:13.070 --> 25:20.950]  reset. And she had lost access to a lot of her accounts. And she really couldn't understand
[25:20.950 --> 25:27.230]  how did this happen, because I was using two-factor authentication. And lots of people
[25:27.230 --> 25:31.850]  say that, well, if you have two-factor authentication, you're secure, right? Wrong.
[25:33.290 --> 25:39.090]  What they actually found out in this particular case is that Nina was using
[25:40.510 --> 25:47.850]  Telia, one of the telecom providers in Norway, and they had a service called SMS Copy.
[25:48.390 --> 25:54.430]  You could log on to their web page, like, you know, my page, and you could configure the SMS
[25:54.430 --> 26:01.130]  Copy service, which is essentially a message service, so that if you receive a text message
[26:01.130 --> 26:08.850]  to your phone, Telia will also silently forward that text message either to another phone number
[26:09.710 --> 26:15.870]  or send it to an email address. You know, what could possibly go wrong with this?
[26:17.650 --> 26:26.890]  And in order to get access to the my page at Telia, you needed a username and a password,
[26:26.890 --> 26:33.990]  and they did not offer any kind of two-factor authentication at all. So what this bad guy did,
[26:33.990 --> 26:38.970]  who is now being prosecuted by the police, he went to that page and tried to log in
[26:40.110 --> 26:45.850]  with a lot of different usernames and passwords. And as we know, people are reusing passwords.
[26:45.850 --> 26:53.470]  And I suspect that he got in through credential stuffing or online password spraying. And by
[26:53.470 --> 26:58.990]  getting in there, he could configure the SMS Copy service, he could order a password reset from
[26:58.990 --> 27:04.490]  different services, and although Nina received the messages, she received them in the middle of the
[27:04.490 --> 27:11.030]  night when she was sleeping, and he was up and he received the same messages, and by that he
[27:11.030 --> 27:20.230]  gained access to all the accounts of these women. And that, I think, serves as a really
[27:22.530 --> 27:27.450]  hard and scary example of what the possible consequences can be
[27:28.330 --> 27:35.890]  if you don't have secured your entire chain with two-factor authentication or something else.
[27:36.890 --> 27:44.720]  Two-factor authentication can be bypassed in so many different settings and scenarios.
[27:46.490 --> 27:53.310]  Now, this was about hijacking your phone number and receiving your text messages and so on.
[27:54.310 --> 28:00.410]  But I've also been looking into voicemail hacking. And this goes back again to the title of
[28:00.410 --> 28:10.310]  Paris Hilton, because all the way back in 2006, there was a lot of articles around the world
[28:10.310 --> 28:19.210]  saying that Paris Hilton and Lindsay Lohan had got into a sort of a disagreement, and they were
[28:19.210 --> 28:26.090]  trying to hack each other's phone numbers, spread them online, and also gain access to each other's
[28:26.090 --> 28:30.830]  voicemail boxes. And the story is, to the best of my knowledge, is that Paris Hilton
[28:30.830 --> 28:37.650]  gained access to the voicemail box of Lindsay Lohan. And in even mainstream Norwegian media,
[28:37.650 --> 28:45.170]  this was mentioned on August 27, 2006. And not only did they mention this happening,
[28:45.170 --> 28:52.610]  they also actually mentioned the specific service that Paris Hilton had been using to do this.
[28:53.830 --> 29:01.250]  Now, if you Google voicemail hacking, you will find interesting results. One of them is a talk
[29:01.250 --> 29:07.590]  that has been presented at DEF CON before, that also includes a tool that you can use for some
[29:07.590 --> 29:13.870]  services with voicemail, where you can try to basically brute force the PIN code to get into
[29:13.870 --> 29:19.810]  the voicemail boxes. Some voicemail boxes will have a four-digit PIN, three digits, five, six
[29:19.810 --> 29:28.750]  digits that are randomly selected and provided by the telco to the user. Other telecom providers
[29:28.750 --> 29:35.230]  may allow you to select your own PIN. One of the things we know from PIN code research is that
[29:35.810 --> 29:39.450]  as soon as you allow users to select their own PIN code,
[29:39.450 --> 29:45.330]  those PIN codes are not going to be any good at all, in pretty much all cases.
[29:46.630 --> 29:53.850]  And there was also, back in 10 years ago, there was also a large scandal with News of the World
[29:54.530 --> 30:00.950]  in the UK, where the British royal family got their phones and their voicemail hacked by reporters
[30:00.950 --> 30:07.050]  that were able to extract messages that were, you know, most definitely not meant for the public to
[30:07.050 --> 30:14.670]  listen into. This was a big scandal, and also in this case, the suspicion was targeted against
[30:14.670 --> 30:19.850]  the same service as Paris Hilton had been using several years earlier.
[30:21.830 --> 30:28.230]  Now, this is probably a picture that you have seen before. In order to do a password reset at
[30:28.230 --> 30:32.890]  Microsoft, you have several different options. You can have an email sent to you with a link
[30:32.890 --> 30:39.270]  that you need to click to gain access, or you can also ask to use an authentication app if you have
[30:39.390 --> 30:46.010]  a TOTP app installed. And you can also have an SMS sent to you. So there, you know, with SMS,
[30:46.010 --> 30:53.110]  you already see one problem with the SMS copy service. But there are also services where,
[30:53.110 --> 30:59.250]  you know, to do a password reset and so on, you can also ask the service provider to give
[30:59.250 --> 31:07.190]  you a robot call and to read the PIN code for you out loud. So one of the things I was curious about
[31:07.190 --> 31:15.070]  is, hmm, can I initiate a password reset for someone online and ask that service to make a
[31:15.070 --> 31:24.190]  phone call and just, well, go directly to voicemail and enter that PIN code into the voicemail box,
[31:24.190 --> 31:29.470]  so I can get access afterwards, listen to the code and use it to get access to an account.
[31:29.470 --> 31:37.290]  Interesting experiment. So, you know, let's hack. And what I did, I used the same service
[31:37.290 --> 31:43.070]  as Paris Hilton from 2006, which is called Spoof Card. They are still operational today,
[31:43.070 --> 31:49.210]  and they are still doing their fancy little tricks today. But of course, they do say that
[31:49.210 --> 31:55.090]  this service is to protect your privacy. And you should, of course, not use this for any kind of
[31:55.090 --> 32:03.270]  legal purposes. So I did. And the case number one was Telenor, the biggest telco in Norway.
[32:03.630 --> 32:10.570]  I managed to get access to people's voicemail. Of course, I did this under a responsible disclosure.
[32:10.610 --> 32:16.710]  And I also talked to my potential victims, friends, family and others, co-workers, and asked
[32:16.710 --> 32:22.590]  them, can I try this? And if you want to listen in, you can do that. I showed them how I could
[32:22.590 --> 32:28.670]  very easily use Spoof Card to get access to their voicemail, listen to the messages, delete them,
[32:28.670 --> 32:35.790]  and also change the welcoming message for the voicemail. I told Telenor about this on a Tuesday
[32:35.790 --> 32:42.270]  and on the Thursday they had fixed it. So in less than 48 hours, which is really, really good.
[32:43.830 --> 32:50.730]  They also, of course, after, you know, fixing this, there was a media article and they said
[32:50.730 --> 32:56.770]  that they were sorry for this and they acknowledged that this vulnerability had probably
[32:56.770 --> 33:04.150]  been available for use and abuse for 13 years or more, you know, dating all the way back to
[33:04.150 --> 33:15.390]  the Paris Hilton incident. 13 years. An interesting thing is, this specific service, Spoof Card,
[33:15.390 --> 33:23.010]  was mentioned all the way back in 2006 in Norwegian mainstream media. But when Telenor
[33:23.010 --> 33:34.730]  was informed about this in November 2019, they said, never heard of it. Which is, well, I mean,
[33:34.730 --> 33:44.090]  you don't have to read mainstream media, do you? But in this case, I was a bit, well, surprised.
[33:45.390 --> 33:53.790]  And as a consequence of my findings in this, the Norwegian government agency that are overseeing
[33:53.790 --> 34:00.070]  the telecom industry in Norway, they chose to issue a fine of 1.5 million Norwegian kroner,
[34:00.070 --> 34:07.270]  that is equivalent of 165,000 US dollars today, as a fine because they didn't have sufficient security
[34:08.250 --> 34:14.250]  for the voicemail system. And depending on the country you're in, if you're in the US,
[34:14.250 --> 34:22.730]  I would guess a fine of 165,000 US dollars doesn't sound much. In Norway, to the company,
[34:22.730 --> 34:31.710]  it's pocket change, not even that. But it is very, very rare that any company is being given any fine
[34:31.710 --> 34:40.230]  at all by this government agency. So that sort of underlines the seriousness of this security breach.
[34:40.230 --> 34:47.850]  And also our Norwegian data protection agency, they also issued a reprimand to Telenor saying
[34:47.850 --> 34:54.330]  that this is really not good, and you have basically violated two different GDPR articles
[34:54.330 --> 35:01.950]  on this. But since you have already been fined once, we are not going to slap another fine on
[35:01.950 --> 35:09.770]  top of that. That's usually not how it's being done here in Norway. And there's case number two,
[35:09.770 --> 35:14.970]  because I asked friends in other countries as well, can I try to hack your voicemail box?
[35:15.110 --> 35:25.210]  So with Telia in Denmark, the version two news website in Denmark, they tried this out on my
[35:25.210 --> 35:32.070]  behalf, and they found that this works. I approved it for them. I talked directly to Telia, they
[35:32.070 --> 35:37.390]  fixed it, and they also ended up in the news saying that this is a big scandal, and it's not
[35:37.390 --> 35:44.580]  just in Denmark, it also applies to other providers in Norway and in Sweden.
[35:48.070 --> 35:55.050]  And kind of fascinating that version two even have an article saying that Telia is now considering
[35:56.090 --> 36:01.290]  better voicemail security. So I'm sort of waiting to see what's going to happen there, but hopefully
[36:01.290 --> 36:09.710]  it has already improved. Case number three is Tele2, which is the third provider that I found
[36:09.710 --> 36:15.850]  vulnerable in this. Based in Sweden, they operate in eight different countries. I tested against
[36:15.850 --> 36:22.030]  voicemail boxes of people in Sweden. I found them to be vulnerable. I got access to their voicemail.
[36:22.470 --> 36:29.350]  I do not know about the, you know, hackability of Tele2 voicemail boxes in other countries where
[36:29.350 --> 36:36.270]  they operate, because I didn't test, but Tele2 says, nope, they are not vulnerable. So hopefully
[36:37.410 --> 36:46.490]  that's true. At least, again, this also led to media attention in Sweden. Again, back to, you
[36:46.490 --> 36:53.890]  know, my fascination of the different ways of how this was handled, or wasn't handled at all
[36:53.890 --> 36:59.110]  in the different countries. In Norway, there was a lot of media attention on this. Mainstream media
[36:59.110 --> 37:04.370]  picked it up. There have been issued a fine. There have been issued a reprimand by the Data
[37:04.370 --> 37:11.050]  Protection Agency of Norway. In Denmark, there have been a little bit of media attention, but
[37:11.050 --> 37:16.510]  politicians have said, well, the problem is fixed, so there's nothing left for us to do, and we'll
[37:16.510 --> 37:20.090]  just leave it to the telecom providers to, you know, they have to talk to each other and figure
[37:20.090 --> 37:28.790]  out what to do. And that's it. And in Sweden, pretty much nothing has happened at all so far.
[37:29.110 --> 37:35.550]  In fact, there were one or I think it was two or three articles in total about this,
[37:35.550 --> 37:45.030]  and then it went completely quiet. But all in all, I found that several million people across Norway,
[37:45.030 --> 37:53.350]  Sweden and Denmark were affected by this, and have most probably been affected for 13 years or more.
[37:53.350 --> 37:59.830]  At the same time, the telecom providers, they have logs that maybe go back two, three or four
[37:59.830 --> 38:07.170]  weeks in time. So proving or disproving that this hasn't been hacked and abused by anyone for the
[38:07.170 --> 38:15.170]  past 13 years is completely impossible. So they have concluded that, well, since we haven't heard
[38:15.170 --> 38:23.330]  anyone complain about it, nobody has probably been hacked. And there's nothing we can do about that.
[38:25.530 --> 38:29.870]  So I just want to say that, you know, this is sort of still a work in progress,
[38:29.870 --> 38:37.210]  but I would really, really, you know, recommend you to listen in on the talk from Kelly Robinson
[38:37.210 --> 38:43.870]  on Sunday here at the Crypto and Privacy Village, where she will be talking about Stör shaken.
[38:43.930 --> 38:48.430]  Not saying anything more than that, just listening to that talk. And by that,
[38:48.430 --> 38:54.390]  we have reached the end. And I say, thank you. And I am ready for your questions now,
[38:54.390 --> 39:02.410]  or you can contact me later. You have my cryptic contact details here on screen. Thank you.
[39:20.940 --> 39:27.420]  Not saying anything more than that, just listening to that talk. And by that, we have reached the end
[39:27.420 --> 39:33.840]  and I say, thank you. And I am ready for your questions now, or you can contact me later.
[39:33.840 --> 39:40.480]  That was the talk, Hacking Like Paris Hilton 14 Years Later and Still Winning, by Pear.
[39:44.570 --> 39:50.770]  We have them here for our live Q&A, so please put your questions in the Discord CPV Q&A channel.
[39:52.150 --> 39:58.530]  So Pear, one of the first questions we have is, in the USA, many carriers use the phone number
[39:58.530 --> 40:03.350]  as a default PIN. So if you spoof the number and call as voicemail, you can access it using
[40:03.350 --> 40:07.770]  the phone number as the default PIN, if the user didn't change it, and a lot of people don't.
[40:07.770 --> 40:14.170]  Is that the same outside the US of other carriers? Well, I can say for sure that at least that's not
[40:14.170 --> 40:22.010]  what we have. That's not what we have here in Norway. I haven't seen this in Sweden or Denmark,
[40:22.010 --> 40:26.930]  but I really can't answer for all telecom providers in all the countries
[40:27.630 --> 40:35.230]  outside the US. That's impossible to do. But I do have my suspicions that you will find
[40:35.510 --> 40:41.590]  a lot of bad security connected to both voicemail accounts, and also in general,
[40:41.590 --> 40:47.750]  the accounts where you can log in on your telco homepage for, in any way,
[40:47.750 --> 40:53.550]  administrating your subscription with that. Awesome. Thank you so much for that.
[40:54.650 --> 40:58.950]  In your ideal world, what would you like to see exist in place of the current available
[40:58.950 --> 41:07.350]  options that we do have? Well, there are many facets to this. And one of the things that I
[41:07.350 --> 41:13.990]  pointed out early in my presentation is starting with whenever you go into a shop and say that you
[41:13.990 --> 41:20.270]  want a new SIM card, or if you want a data SIM card, or a twin SIM card, if you want a new
[41:20.270 --> 41:26.330]  subscription, if you want to change it, if you want to end it, to move it to another telco,
[41:26.330 --> 41:34.430]  and then you have the issues of logging on to your telco provider to administer your subscription
[41:34.430 --> 41:43.230]  there, like this SMS copy service, which is now, of course, turned off, and options like that.
[41:43.230 --> 41:50.170]  Then you also have the stuff like doing the voicemail hacking using spoofed numbers. Now,
[41:50.170 --> 42:01.090]  some of the issues are specific to each telco provider, like the absence of two-factor
[42:01.090 --> 42:06.310]  authentication for administrating your account. And then you have the security awareness training
[42:06.310 --> 42:12.370]  for staff on help desk, online chat, and in stores. But there are also problems with the
[42:12.370 --> 42:20.750]  basic telco networks worldwide for mobile communication using the SS7 protocol and
[42:20.750 --> 42:27.010]  stuff like that. And that is, I'm not going to say it's an unsolvable problem, but it's not up
[42:27.010 --> 42:35.050]  to a single telco provider to fix it. It's not up to a single country to fix it. And basically,
[42:35.050 --> 42:42.010]  if you are to fix the fundamental security issues that we have in the GSM networks today,
[42:42.010 --> 42:47.510]  all providers and makers of phones, of networking equipment, all the telcos,
[42:47.510 --> 42:53.350]  they have to come up with solutions. And you have to replace all the handsets in the world.
[42:53.410 --> 42:59.010]  And we can't do that. That's just impossible to expect that to basically ever happen.
[42:59.090 --> 43:03.970]  So one of the things that are coming now, which is very interesting, of course, as I said,
[43:03.970 --> 43:09.890]  Kelly Robinson will be talking about stir shaking. So I'm not going to spoil that anymore,
[43:09.890 --> 43:15.950]  but that's a talk that I really hope people will listen to. And one of the things that I'm doing
[43:15.950 --> 43:22.930]  as well is trying to, to the extent I can, I'm trying to pressure the Norwegian government and
[43:22.930 --> 43:28.670]  also the governments in Sweden and Denmark as well, together with other people, to ask the
[43:28.670 --> 43:34.310]  telcos to at least look into stir shaking, and eventually also consider, can it be implemented?
[43:34.490 --> 43:41.230]  And how can we make the rest of the world implement it as well? So long answer to a short question.
[43:41.970 --> 43:46.250]  Wow, that was a really great, thorough answer. Thank you so much. So another question we have
[43:46.250 --> 43:52.330]  is, should we just disable our voicemails then at that point? Oh, yeah. Oh, yeah. Disable voicemail
[43:52.330 --> 43:58.910]  now. I mean, there's absolutely no point... I can't really understand why people are using
[43:58.910 --> 44:09.570]  voicemail at all. And I was in Czech Republic last year, I think. And I was surprised to hear
[44:09.570 --> 44:16.850]  from friends in the Czech Republic that voicemail, nah, no, they don't have that with their
[44:16.850 --> 44:22.470]  phone subscriptions. And I asked around, and they couldn't think of any friends or family
[44:22.470 --> 44:29.430]  who had voicemail. In Norway, we have three companies that are providing a physical
[44:29.430 --> 44:36.530]  infrastructure for mobile communications. And then we have lots of virtual operators as well.
[44:36.530 --> 44:43.790]  And all of them, absolutely all of them, by default, provide voicemail as a part of the service.
[44:43.790 --> 44:49.930]  And there actually is no option to say, I don't want voicemail, but they do have options to turn
[44:49.930 --> 44:56.190]  it off. So one of the things I would like to see is that, you know, well, I just don't need
[44:56.670 --> 45:06.930]  voicemail at all. And I actually... I just don't pay for it either, because I can turn it off,
[45:06.930 --> 45:17.530]  but I'm sort of still paying for it. Yeah, that's actually really... huh, I did not realize
[45:17.530 --> 45:21.630]  that was an option in other places like that. Thank you. You kind of answered some of this
[45:21.630 --> 45:27.910]  question already, but someone asked, as a regular user, what can I do to protect myself, if anything,
[45:27.910 --> 45:34.850]  or is it completely out of my hands? Well, to protect yourself, you know, I'm working as a
[45:34.850 --> 45:40.970]  security officer for a large hotel chain. And of course, I've been asking my colleagues and
[45:40.970 --> 45:47.190]  friends about this as well, you know, what do you think about this? And of course, I can say,
[45:47.190 --> 45:53.010]  I have truly scared a lot of people by being able to sort of hack into their voicemail using a
[45:53.010 --> 45:58.910]  spoofed phone call, and also making phone calls that appears to be coming from your mom, or your
[45:58.910 --> 46:04.090]  dad, or your brother, or whoever it is. And they are really surprised to see that I can do that.
[46:04.090 --> 46:10.590]  So there are some things you can do. And the very simple thing that you can do is that whatever text
[46:10.590 --> 46:17.090]  message you are receiving, or the phone number, or the name that you see in the display on your phone
[46:17.090 --> 46:25.650]  when somebody is calling you, do not trust it. Because it is exceptionally easy to spoof.
[46:26.670 --> 46:33.770]  And I don't know how, you know, I don't know, you know, you're in the US, so I don't know
[46:33.770 --> 46:38.910]  how much people in the US in general know about phone spoofing, you know, number spoofing,
[46:38.910 --> 46:45.770]  and text message spoofing. But to people here in Norway, the vast majority of people in the
[46:45.770 --> 46:51.910]  IT security industry were absolutely clueless about this existing at all, when I started
[46:51.910 --> 46:56.630]  working with this. And when I did my initial presentations last year, people were shocked
[46:56.630 --> 47:03.530]  that this was possible. So as an end user, first and foremost, do not trust that the number you
[47:03.530 --> 47:11.370]  or the name you see in your display are correct. No matter who calls or texts you, do not trust it.
[47:13.760 --> 47:17.920]  As a millennial who does not pick up any phone calls at all, that's really fascinating to know
[47:17.920 --> 47:25.440]  about. Oh, yeah, you youngsters. Yeah, well, yeah. I mean, you have a completely different
[47:25.440 --> 47:31.360]  sort of way to protect yourself in this area. But I know, again, robocalls, as far as I know,
[47:31.360 --> 47:40.420]  is a very big problem in the US. It almost doesn't exist over here yet. Except for the
[47:40.420 --> 47:45.480]  operation on Microsoft is calling you to say you have a computer virus on your system. That's
[47:45.480 --> 47:53.900]  the only robocalls we get. And when I got one last year, I was like, yes, finally. So there you go.
[47:54.160 --> 47:58.740]  That is a very different reaction that I have, I think, along with other people.
[47:58.740 --> 48:03.720]  Oh, gosh. With that said, thank you so much again, Pear, for all of your answers to this Q&A
[48:03.720 --> 48:08.340]  and for your talk today. Please take care and enjoy the rest of your DEF CON.
[48:08.500 --> 48:11.120]  I hope you have fun. Thank you so much again.
